Monthly Archives: August 2014

In this writeup, let’s take a look at Android packers in general before focusing on one of the more popular packer, Bangcle.

[An Introduction to Android Packers]

There are many useful reasons packers are used in software engineering, like for code obfuscation, compression, protecting your work against reverse engineers etc. The more sinister usage are for AV bypassing, masquerading malware and making the job of whitehat reverse engineers harder.

The common packers used for packaging EXEs are UPX Packer, RLPack, NSPack etc. As till recent times, the bulk of computer usage has been limited to PCs thus these were commonly used.

With the increase in usage of Android devices, different types of malicious Android applications were beginning to proliferate. In recent times, Android malware packaged using packers are beginning to surface in the wild.

A more detailed analysis on Android packers can be found here. In the next section, I will be focusing on one of the increasingly popular Android packer which is being used for Android malware.

[Bangcle: Android Packer]

Bangcle is a mobile application security services provider company based in China. One of the services it offer is Android app protection as shown in the screenshot above.

A user just have to register and subsequently use the dashboard to upload your apk file and you will get the bangcled apk ready for use.

I tested with a simple Hello World application. Before bangcling this is how the app’s structure will look like.

After uploading the hello world apk to be bangcled the resultant apk will be as shown below:

After the app has been bangcled you will have additional library files (libsecexe.so, libsecmain.so etc) and new Java class files (ACall.class, ApplicationWrapper.class, FirstApplication.class).

And the new bangcled application will also have additional permissions. Do take note that the actual hello world had no permissions initially.

The ACall.class file loads the additional libraries, FirstApplication.class file calls the super.onCreate function to initialize the activity and the ApplicationWrapper class subsequently loads the encrypted dex file which will be then be decrypted in the memory by the loaded libraries and finally executed. As it is being decrypted in memory, this makes static analysis of an Bangcled apk hard and tedious.

To run his script (in a Linux environment), configure an Android enmulator (using AVD from the Android SDK) and install the bangcled apk in it using adb tools (adb install <bangcled-app.apk>).

Now execute his script after starting the app in the Android emulator. The dex will be decrypted in memory as discussed earlier. The script actually scans the memory in areas where an odex shouldn’t be to detect the magic bytes (“dey\n036”) for the optimized dex file and subsequently dumps out the specific memory portion as an dex file using baksmali. So the end product is an decrypted dex file which can now be analysed 🙂

[In Summary]

As the usage of Android increases, more variants and complex malwares are being now detected. As it was in PC malware ecosystem, packers are making inroads into Android now. Bangcle which is a China based Android packer created as a means to protect one’s apk is currently being misused for packing Android malwares making reversing hard.

However, bangcled apks can now be reversed for static analysis thanks to the great work by @timstrazz.

The next writeup will be on an technical teardown of a bangcled apk found in the wild recently.

We gotten this sample from Jacob’s old friend, “Amnesia”. UUPlay application portrays itself as an legitimate Google playstore application but it also doubles up as an malware in disguise, sending out victim(s)’ information from the device. You can check the VirusTotal detection rate here. https://www.virustotal.com/en/file/918ec0a543b6774c54564fe676e7bd47456b6a95facca42a2da4a995703129b8/analysis/

[ Tools Used ]Cebero Profiler is used to disassemble the apk file to analyse the smali code.

Dex2Jar and Java Decompiler are used to decompile the apk file to a jar file and subsequently to get the java code for analysis.

Android Emulator and Burp Suite are used for the dynamic analysis portion.

[ Permissions ]

From the permissions list above, you can notice that it also haves the capability to download and install applications. Users may think that since it is a Google PlayStore app , it needs such permissions. But in this case, it also have the READ,WRITE and SEND SMS permissions. These permissions can be abused to send premium SMSes to premium numbers resulting in additional costs for the victim(s).

[ Source Code Analysis ]
The .apk is most probably obfuscated using ProGuard. From the screenshot below, one can notice that after reversing the .apk file, it seems bloated with multiple alphabetical java class files like any typical .apk file that is protected by ProGuard.

Thus it makes analyzing the source code harder. For more information on what ProGuard actually does, you can refer here. In this analysis, dynamic analysis was primarily done to map out the behavior of the application.

[ Analysing Manifest File ]
From the manifest file, there are quite a lot of activities declared under the “com.google.hfapservice” package.

For the list of Google Package names available for Android, you can refer to the list here. When checked against this list, it does not have any “com.google.hfapservice” package. It is a clear sign that these might potentially be malicious activities running in the background masquerading as Google services.

Other than these activities, from the manifest file, it can also be deduced that a total of 3 services are running.

Two of the services are linked to the fake Google packages and the third service is supposedly a log service linked to the “com.uucun” package which is the main package name as noted from the manifest file.

Now let’s move on to the dynamic analysis portion.

[ Dynamic Analysis ]

Upon installing the uuplay.apk, the app’s icon does not appear under the device home or the application’s display. However, it can be found under the apps’ listings under Android system’s settings.

As you can notice, the icon is the same as the Google PlayStore’s icon.

The app can be started using Android Debug Bridge (adb) commands. From the manifest file, the main activity’s name can be deduced as RootActivity. The following command was used to invoke the main activity:

Next, we used Burp Suite to monitor the network traffic. For instructions on configuring Android emulator to work with Burp Suite you can refer here.

Upon installing the app, information like imei number, sim card type, os version, date timestamp, app version and airpush version (mobile ads) were double url encoded and was posted to h–p://cloud6.devopenserv.com as shown in the screenshot from Burp Suite below.

Next it checks for updates for all the pre-installed apps from h–p://agoldcomm.plat96.com

If you search for any app, e.g Whatsapp, you can see that the searched information together with the phone information being posted out and subsequently the relevant apk file will be downloaded from h–p://apk.hiapk.com

h–p://apk.hiapk.com is one of many un-official Android Marketplace from China.

While all these can be considered “fairly” normal behavior for an “Google PlayStore”, there are also other suspicious activities. Like at certain intervals (even when the app is not in use) encrypted data are being posted to urls like h–p://log6.devopenserv.com

The URL to which the data is posted is not hard-coded. Meaning, sometimes the data are being posted to other URLs. But the key point is data (judging from the long list of permissions, it could be anything the app has access to) is being encrypted and were being ex-filtrated from the device.

[ Conclusion ]

In conclusion, uuplay is an application that masquerades as the official Google PlayStore application. It does similar activities like installing applications fetched mainly from the following urls:

– h–p://apk.hiapk.com

-h–p://agoldcomm.plat96.com

At the same time, it also posts out personal information masked as log data to the following urls: